Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package phpbb3 It fixes two security issues (marked as no-DSA), and an annoying PHP 5.6 incompatibility that throw big red warnings in the administration panel. All those fixes are cherry-picked from upstream, as included in the 3.0.13-PL1 version uploaded to experimental (full debdiff attached): phpbb3 (3.0.12-4) unstable; urgency=medium * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431] (Closes: #776699) * Improve PHP 5.6 compatibility: allow mbstring.http_{in,out}put to be set as '' as well as 'pass' on install; do not display warning in ACP if so. -- David Prévot <taffit@debian.org> Mon, 02 Feb 2015 20:35:46 -0400 unblock phpbb3/3.0.12-4 Please note that 3.0.13-PL1 fixes more PHP 5.6 compatibility issues, so I’d be grateful if you were inclined to consider approving it into Jessie. Also attached a diffstat (with translations excluded) to give you an idea of the changes involved, I’ll follow up with a pre-approval request with the actual debdiff if you wish. Regards David
diff -Nru phpbb3-3.0.12/debian/changelog phpbb3-3.0.12/debian/changelog --- phpbb3-3.0.12/debian/changelog 2014-10-25 20:58:38.000000000 -0400 +++ phpbb3-3.0.12/debian/changelog 2015-02-02 20:38:36.000000000 -0400 @@ -1,3 +1,12 @@ +phpbb3 (3.0.12-4) unstable; urgency=medium + + * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431] + (Closes: #776699) + * Improve PHP 5.6 compatibility: allow mbstring.http_{in,out}put to be set + as '' as well as 'pass' on install; do not display warning in ACP if so. + + -- David Prévot <taffit@debian.org> Mon, 02 Feb 2015 20:35:46 -0400 + phpbb3 (3.0.12-3) unstable; urgency=medium * Adapt update_languages script to new scheme diff -Nru phpbb3-3.0.12/debian/patches/fix_CVE-2015-1431.patch phpbb3-3.0.12/debian/patches/fix_CVE-2015-1431.patch --- phpbb3-3.0.12/debian/patches/fix_CVE-2015-1431.patch 1969-12-31 20:00:00.000000000 -0400 +++ phpbb3-3.0.12/debian/patches/fix_CVE-2015-1431.patch 2015-02-01 22:01:05.000000000 -0400 @@ -0,0 +1,70 @@ +Description: Explicitly disallow trailing paths + CSRF potentially allowing an attacker to modify the private message + setting that determines how full folders are handled (i.e. whether to + delete the oldest message or hold the new message until further space + is available). + [CVE-2015-1432] +Author: Marc Alexander <admin@m-a-styles.de> +Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456 +Bug: https://tracker.phpbb.com/browse/PHPBB3-13531, https://tracker.phpbb.com/browse/PHPBB3-13549 +Bug-Debian: https://bugs.debian.org/776699 +Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/4b9434bf1ba4c015da11309602cfccf1a9c2493c https://github.com/phpbb/phpbb/commit/e34b92882a51dc89da88464b8c751a9d93a03124 https://github.com/phpbb/phpbb/commit/74950559074d738733ac1258b07912f9ca14203a +Reviewed-by: Andreas Fischer <bantu@phpbb.com>, Nils Adermann <naderman@naderman.de> +Last-Update: 2015-02-01 +--- a/includes/startup.php ++++ b/includes/startup.php +@@ -113,6 +113,54 @@ + unset($input); + } + ++/** ++ * Check if requested page uses a trailing path ++ * ++ * @param string $phpEx PHP extension ++ * ++ * @return bool True if trailing path is used, false if not ++ */ ++function phpbb_has_trailing_path($phpEx) ++{ ++ // Check if path_info is being used ++ if (!empty($_SERVER['PATH_INFO']) || (!empty($_SERVER['ORIG_PATH_INFO']) && $_SERVER['SCRIPT_NAME'] != $_SERVER['ORIG_PATH_INFO'])) ++ { ++ return true; ++ } ++ ++ // Match any trailing path appended to a php script in the REQUEST_URI. ++ // It is assumed that only actual PHP scripts use names like foo.php. Due ++ // to this, any phpBB board inside a directory that has the php extension ++ // appended to its name will stop working, i.e. if the board is at ++ // example.com/phpBB/test.php/ or example.com/test.php/ ++ if (preg_match('#^[^?]+\.' . preg_quote($phpEx, '#') . '/#', $_SERVER['REQUEST_URI'])) ++ { ++ return true; ++ } ++ ++ return false; ++} ++ ++// Check if trailing path is used ++if (phpbb_has_trailing_path($phpEx)) ++{ ++ if (substr(strtolower(@php_sapi_name()), 0, 3) === 'cgi') ++ { ++ $prefix = 'Status:'; ++ } ++ else if (!empty($_SERVER['SERVER_PROTOCOL'])) ++ { ++ $prefix = $_SERVER['SERVER_PROTOCOL']; ++ } ++ else ++ { ++ $prefix = 'HTTP/1.0'; ++ } ++ header("$prefix 404 Not Found", true, 404); ++ echo 'Trailing paths and PATH_INFO is not supported by phpBB 3.0'; ++ exit; ++} ++ + // Register globals and magic quotes have been dropped in PHP 5.4 + if (version_compare(PHP_VERSION, '5.4.0-dev', '>=')) + { diff -Nru phpbb3-3.0.12/debian/patches/fix_CVE-2015-1432.patch phpbb3-3.0.12/debian/patches/fix_CVE-2015-1432.patch --- phpbb3-3.0.12/debian/patches/fix_CVE-2015-1432.patch 1969-12-31 20:00:00.000000000 -0400 +++ phpbb3-3.0.12/debian/patches/fix_CVE-2015-1432.patch 2015-02-01 22:10:06.000000000 -0400 @@ -0,0 +1,27 @@ +Description: Correctly validate the ucp_pm_options form key + This allows an attacker to load arbitrary CSS in Internet Explorer by + crafting a URL with trailing paths after a PHP file (for example + /path/index.php/more/path). This is only possible if the webserver + configuration allows accessing PHP files in this manner. +Author: Joas Schilling <nickvergessen@gmx.de> +Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456 +Bug: https://tracker.phpbb.com/browse/PHPBB3-13526 +Bug-Debian: https://bugs.debian.org/776699 +Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449 +Reviewed-by: Andreas Fischer <bantu@phpbb.com> +Last-Update: 2015-02-01 +--- a/includes/ucp/ucp_pm_options.php ++++ b/includes/ucp/ucp_pm_options.php +@@ -29,7 +29,11 @@ + // Change "full folder" setting - what to do if folder is full + if (isset($_POST['fullfolder'])) + { +- check_form_key('ucp_pm_options', $config['form_token_lifetime'], $redirect_url); ++ if (!check_form_key('ucp_pm_options')) ++ { ++ trigger_error('FORM_INVALID'); ++ } ++ + $full_action = request_var('full_action', 0); + + $set_folder_id = 0; diff -Nru phpbb3-3.0.12/debian/patches/improve_php_5.6_compatibility.patch phpbb3-3.0.12/debian/patches/improve_php_5.6_compatibility.patch --- phpbb3-3.0.12/debian/patches/improve_php_5.6_compatibility.patch 1969-12-31 20:00:00.000000000 -0400 +++ phpbb3-3.0.12/debian/patches/improve_php_5.6_compatibility.patch 2015-02-02 20:34:51.000000000 -0400 @@ -0,0 +1,45 @@ +Description: Handle mbstring.http_{in,out}put for PHP 5.6 + Having mbstring.http_input set to '' is as good as 'pass'. + Fix mbstring warnings in ACP for PHP 5.6 compatibility. +Author: Andreas Fischer <bantu@phpbb.com>, Oliver Schramm <oliver.schramm97@gmail.com> +Origin: upstream +Bug: https://tracker.phpbb.com/browse/PHPBB3-12468 https://tracker.phpbb.com/browse/PHPBB3-13168 +Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/370015c1a5f490a7fae85da268b81cb8d1748f50 https://github.com/phpbb/phpbb/commit/53f166274aaa55b98a1c671dbb5cbd403d879157 +Reviewed-by: Nils Adermann <naderman@naderman.de> +Last-Update: 2015-02-02 +--- a/includes/acp/acp_main.php ++++ b/includes/acp/acp_main.php +@@ -610,8 +610,8 @@ + 'S_MBSTRING_LOADED' => true, + 'S_MBSTRING_FUNC_OVERLOAD_FAIL' => (intval(@ini_get('mbstring.func_overload')) & (MB_OVERLOAD_MAIL | MB_OVERLOAD_STRING)), + 'S_MBSTRING_ENCODING_TRANSLATION_FAIL' => (@ini_get('mbstring.encoding_translation') != 0), +- 'S_MBSTRING_HTTP_INPUT_FAIL' => (@ini_get('mbstring.http_input') != 'pass'), +- 'S_MBSTRING_HTTP_OUTPUT_FAIL' => (@ini_get('mbstring.http_output') != 'pass'), ++ 'S_MBSTRING_HTTP_INPUT_FAIL' => !in_array(@ini_get('mbstring.http_input'), array('pass', '')), ++ 'S_MBSTRING_HTTP_OUTPUT_FAIL' => !in_array(@ini_get('mbstring.http_output'), array('pass', '')), + )); + } + +--- a/install/install_install.php ++++ b/install/install_install.php +@@ -273,8 +273,8 @@ + $checks = array( + array('func_overload', '&', MB_OVERLOAD_MAIL|MB_OVERLOAD_STRING), + array('encoding_translation', '!=', 0), +- array('http_input', '!=', 'pass'), +- array('http_output', '!=', 'pass') ++ array('http_input', '!=', array('pass', '')), ++ array('http_output', '!=', array('pass', '')) + ); + + foreach ($checks as $mb_checks) +@@ -295,7 +295,8 @@ + break; + + case '!=': +- if ($ini_val != $mb_checks[2]) ++ if (!is_array($mb_checks[2]) && $ini_val != $mb_checks[2] || ++ is_array($mb_checks[2]) && !in_array($ini_val, $mb_checks[2])) + { + $result = '<strong style="color:red">' . $lang['NO'] . '</strong>'; + $passed['mbstring'] = false; diff -Nru phpbb3-3.0.12/debian/patches/series phpbb3-3.0.12/debian/patches/series --- phpbb3-3.0.12/debian/patches/series 2014-04-11 17:25:58.000000000 -0400 +++ phpbb3-3.0.12/debian/patches/series 2015-02-02 20:27:08.000000000 -0400 @@ -5,3 +5,6 @@ 031_fix_installer.patch fix_chown.patch privacy-breach-generic.patch +fix_CVE-2015-1431.patch +fix_CVE-2015-1432.patch +improve_php_5.6_compatibility.patch
.htaccess | 56 + adm/style/acp_inactive.html | 2 adm/style/acp_update.html | 2 adm/style/acp_users_overview.html | 2 adm/style/admin.css | 10 adm/style/editor.js | 2 debian/changelog | 23 debian/copyright | 14 debian/database_update_debian.php | 2 debian/get-orig-source | 15 debian/patches/012_disable_version_check.patch | 6 debian/patches/021_multisite.patch | 8 debian/patches/022_multisite_installer.patch | 8 debian/patches/fix_CVE-2015-1431.patch | 70 - debian/patches/fix_CVE-2015-1432.patch | 27 debian/patches/improve_php_5.6_compatibility.patch | 45 - debian/patches/series | 3 debian/schema_data_debian.sql | 2 debian/update_languages | 1 debian/upstream/phpbb3.info | 6 debian/upstream/phpbb3_l10n-ar.info | 1 debian/upstream/phpbb3_l10n-be.info | 2 debian/upstream/phpbb3_l10n-bg.info | 1 debian/upstream/phpbb3_l10n-ca.info | 1 debian/upstream/phpbb3_l10n-cs.info | 1 debian/upstream/phpbb3_l10n-da.info | 1 debian/upstream/phpbb3_l10n-de-x-sie.info | 1 debian/upstream/phpbb3_l10n-de.info | 1 debian/upstream/phpbb3_l10n-el.info | 1 debian/upstream/phpbb3_l10n-en-us.info | 1 debian/upstream/phpbb3_l10n-en.info | 1 debian/upstream/phpbb3_l10n-es-ar.info | 1 debian/upstream/phpbb3_l10n-es-mx.info | 1 debian/upstream/phpbb3_l10n-es-x-tu.info | 1 debian/upstream/phpbb3_l10n-es.info | 1 debian/upstream/phpbb3_l10n-et.info | 5 debian/upstream/phpbb3_l10n-eu.info | 1 debian/upstream/phpbb3_l10n-fa.info | 1 debian/upstream/phpbb3_l10n-fi.info | 2 debian/upstream/phpbb3_l10n-fr.info | 1 debian/upstream/phpbb3_l10n-gd.info | 1 debian/upstream/phpbb3_l10n-gl.info | 1 debian/upstream/phpbb3_l10n-he.info | 1 debian/upstream/phpbb3_l10n-hr.info | 4 debian/upstream/phpbb3_l10n-hu.info | 1 debian/upstream/phpbb3_l10n-id.info | 1 debian/upstream/phpbb3_l10n-it.info | 1 debian/upstream/phpbb3_l10n-ja.info | 1 debian/upstream/phpbb3_l10n-ku.info | 1 debian/upstream/phpbb3_l10n-lt.info | 1 debian/upstream/phpbb3_l10n-mk.info | 1 debian/upstream/phpbb3_l10n-nl-x-formal.info | 5 debian/upstream/phpbb3_l10n-nl.info | 6 debian/upstream/phpbb3_l10n-pl.info | 1 debian/upstream/phpbb3_l10n-pt-br.info | 1 debian/upstream/phpbb3_l10n-pt.info | 1 debian/upstream/phpbb3_l10n-ro.info | 5 debian/upstream/phpbb3_l10n-ru.info | 5 debian/upstream/phpbb3_l10n-sk.info | 1 debian/upstream/phpbb3_l10n-sl.info | 1 debian/upstream/phpbb3_l10n-sr-latn.info | 1 debian/upstream/phpbb3_l10n-sr.info | 1 debian/upstream/phpbb3_l10n-sv.info | 1 debian/upstream/phpbb3_l10n-th.info | 1 debian/upstream/phpbb3_l10n-tr.info | 1 debian/upstream/phpbb3_l10n-tt.info | 1 debian/upstream/phpbb3_l10n-uk.info | 1 debian/upstream/phpbb3_l10n-ur.info | 1 debian/upstream/phpbb3_l10n-vi.info | 1 debian/upstream/phpbb3_l10n-zh-cmn-hans.info | 1 debian/upstream/phpbb3_l10n-zh_cmn_hant.info | 6 debian/watch | 2 docs/AUTHORS | 9 docs/CHANGELOG.html | 207 ++++- docs/INSTALL.html | 7 docs/README.html | 2 docs/coding-guidelines.html | 20 includes/acm/acm_memory.php | 16 includes/acp/acp_attachments.php | 2 includes/acp/acp_board.php | 2 includes/acp/acp_forums.php | 1 includes/acp/acp_main.php | 4 includes/acp/acp_php_info.php | 2 includes/acp/acp_update.php | 5 includes/acp/acp_users.php | 12 includes/auth/auth_ldap.php | 4 includes/bbcode.php | 9 includes/constants.php | 2 includes/db/db_tools.php | 152 ++- includes/functions.php | 8 includes/functions_admin.php | 16 includes/functions_content.php | 22 includes/functions_install.php | 2 includes/functions_module.php | 6 includes/functions_posting.php | 4 includes/functions_privmsgs.php | 2 includes/functions_profile_fields.php | 2 includes/functions_upload.php | 31 includes/functions_user.php | 28 includes/mcp/info/mcp_pm_reports.php | 2 includes/mcp/mcp_pm_reports.php | 1 includes/mcp/mcp_post.php | 1 includes/mcp/mcp_queue.php | 6 includes/mcp/mcp_reports.php | 1 includes/search/fulltext_native.php | 41 - includes/session.php | 22 includes/startup.php | 76 + includes/ucp/ucp_pm_options.php | 6 includes/ucp/ucp_profile.php | 3 includes/ucp/ucp_remind.php | 2 install/convertors/convert_phpbb20.php | 2 install/database_update.php | 24 install/index.php | 3 install/install_convert.php | 2 install/install_install.php | 50 + install/schemas/mssql_schema.sql | 605 +++++++-------- install/schemas/schema_data.sql | 4 language/en/acp/ban.php | 4 language/en/acp/board.php | 4 language/en/acp/common.php | 2 language/en/acp/email.php | 2 language/en/acp/users.php | 1 language/en/common.php | 8 language/en/email/forum_notify.txt | 2 language/en/email/newtopic_notify.txt | 2 language/en/email/topic_notify.txt | 3 language/en/memberlist.php | 1 language/en/posting.php | 3 language/en/ucp.php | 2 search.php | 15 styles/prosilver/imageset/imageset.cfg | 2 styles/prosilver/style.cfg | 2 styles/prosilver/template/editor.js | 2 styles/prosilver/template/forum_fn.js | 2 styles/prosilver/template/forumlist_body.html | 2 styles/prosilver/template/mcp_post.html | 4 styles/prosilver/template/overall_footer.html | 2 styles/prosilver/template/posting_smilies.html | 4 styles/prosilver/template/template.cfg | 2 styles/prosilver/template/ucp_groups_manage.html | 2 styles/prosilver/template/ucp_pm_viewmessage_print.html | 2 styles/prosilver/template/ucp_profile_profile_info.html | 6 styles/prosilver/template/ucp_profile_reg_details.html | 3 styles/prosilver/template/viewtopic_print.html | 2 styles/prosilver/theme/colours.css | 32 styles/prosilver/theme/forms.css | 10 styles/prosilver/theme/theme.cfg | 2 styles/subsilver2/imageset/imageset.cfg | 2 styles/subsilver2/style.cfg | 4 styles/subsilver2/template/editor.js | 2 styles/subsilver2/template/mcp_post.html | 2 styles/subsilver2/template/memberlist_view.html | 2 styles/subsilver2/template/overall_header.html | 2 styles/subsilver2/template/posting_smilies.html | 4 styles/subsilver2/template/template.cfg | 2 styles/subsilver2/template/ucp_header.html | 4 styles/subsilver2/template/ucp_pm_history.html | 2 styles/subsilver2/template/ucp_pm_viewmessage_print.html | 1 styles/subsilver2/template/ucp_profile_reg_details.html | 3 styles/subsilver2/template/ucp_profile_signature.html | 43 - styles/subsilver2/template/viewtopic_print.html | 1 styles/subsilver2/theme/stylesheet.css | 17 styles/subsilver2/theme/theme.cfg | 2 viewtopic.php | 24 164 files changed, 1257 insertions(+), 806 deletions(-)
Attachment:
signature.asc
Description: Digital signature